Biclique Attack of the Full ARIA-256

In this paper, combining the biclique cryptanalysis with the MITM attack, we present the first key recovery method for the full ARIA-256 faster than brute-force. The attack requires $2^{80}$ chosen plaintexts, and the time complexity is about $2^{255.2}$ full-round ARIA encryptions in the processing phase

A Star-based Independent Biclique Attack on Full Rounds SQUARE

SQUARE is an iterated block cipher proposed by Daemen et.al. in FSE1997. Inspired by Bogdanov et.al.’s recent works [12], we first present an improved biclique attack, i.e. stat-based independent biclique attack on full rounds SQUARE in this paper. We construct a one round stat-based independent biclique for the initial round, and utilize matching with precomputation techniques to recover the whole key from the remaining rounds. The computing complexity of our attack is about $2^(126.17)$ encryptions and required data can be reduced to a single plaintext-ciphertext pair. To be the best of our knowledge, our attack has an optimal computing complexity and data complexity of biclique attack on full rounds SQUARE

Biclique Cryptanalysis of Lightweight Block Ciphers PRESENT, Piccolo and LED

In this paper, we evaluate the security of lightweight block ciphers PRESENT, Piccolo and LED against biclique cryptanalysis. To recover the secret key of PRESENT-80/128, our attacks require $2^{79.76}$ full PRESENT-80 encryptions and $2^{127.91}$ full PRESENT-128 encryptions, respectively. Our attacks on Piccolo-80/128 require computational complexities of $2^{79.13}$ and $2^{127.35}$, respectively. The attack on a $29$-round reduced LED-64 needs $2^{63.58}$ 29-round reduced LED-64 encryptions. In the cases of LED-80/96/128, we propose the attacks on two versions. First, to recover the secret key of $45$-round reduced LED-80/96/128, our attacks require computational complexities of $2^{79.45}, 2^{95.45}$ and $2^{127.45}$, respectively. To attack the full version, we require computational complexities of $2^{79.37}, 2^{95.37}$ and $2^{127.37}$, respectively. However, in these cases, we need the full codebook. These results are superior to known biclique cryptanalytic results on them

Collision Attack on 4-branch, Type-2 GFN based Hash Functions using Sliced Biclique Cryptanalysis Technique

In this work, we apply the sliced biclique cryptanalysis technique to show 8-round collision attack on a hash function H based on 4-branch, Type-2 Generalized Feistel Network (Type-2 GFN). This attack is generic and works on 4-branch, Type-2 GFN with any parameters including the block size, type of round function, the number of S-boxes in each round and the number of SP layers inside the round function. We first construct a 8-round distinguisher on 4-branch, Type-2 GFN and then use this distinguisher to launch 8-round collision attack on compression functions based on Matyas-Meyer-Oseas (MMO) and Miyaguchi-Preneel (MP) modes. The complexity of the attack on 128-bit compression function is 2^56. The attack can be directly translated to collision attack on MP and MMO based hash functions and pseudo-collision attack on Davies-Meyer (DM) based hash functions. When the round function F is instantiated with double SP layer, we show the first 8-round collision attack on 4-branch, Type-2 GFN with double SP layer based compression function. The previous best attack on this structure was a 6-round near collision attack shown by Sasaki at Indocrypt\u2712. His attack cannot be used to generate full collisions on 6-rounds and hence our result can be regarded the best so far in literature on this structure

Bicliques with Minimal Data and Time Complexity for AES (Extended Version)

Biclique cryptanalysis is a recent technique that has been successfully applied to AES resulting in key recovery faster than brute force. However, a major hurdle in carrying out biclique cryptanalysis on AES is that it requires very high data complexity. This naturally warrants questions over the practical feasibility of implementing biclique attack in the real world. In Crypto\u2713, Canteaut et al. proposed biclique attack where the data complexity of the attack was reduced to a single plaintext-ciphertext pair. However, no application of the same on AES was suggested. In this paper, we re-evaluate the security-bound of full round AES against biclique attack. Under some reasonable restrictions, we exhaustively analyze the most promising class of biclique cryptanalysis as applied to AES through a computer-assisted search and find optimal attacks towards lowest computational and data complexities: - Among attacks with the minimal data complexity of the unicity distance, the ones with computational complexity 2^126.67 (for AES-128), 2^190.9 (for AES-192) and 2^255 (for AES-256) are the fastest. Each attack just requires 2 (for AES-128 and AES-192) or 3 (for AES-256) known plaintexts for success probability 1. We obtain these results using the improved biclique attack proposed in Crypto\u2713. - Among attacks with data complexity less than the full codebook, for AES-128, the ones of computational complexity 2^126.16 are fastest. Within these, the one with data complexity 2^64 requires the smallest amount of data. Thus, the original attack (with data complexity 2^88) did not have the optimal data complexity for AES-128. Similar findings are observed for AES-192 as well (data complexity 2^48 as against 2^80 in the original attack). For AES-256, we find an attack that has a lower computational complexity of 2^254.31 as compared to the original attack complexity of 2^254.42. - Among all attacks covered, the ones of computational complexity 2^125.56 (for AES-128), 2^189.51 (for AES-192) and 2^253.87 (for AES-256) are fastest, though requiring the full codebook. This can be considered as an indication of the limitations of the independent-biclique attack approach as applied to AES

Biclique Cryptanalysis Of PRESENT, LED, And KLEIN

In this paper, we analyze the resistance of the lightweight ciphers PRESENT, LED, and KLEIN to biclique attacks. Primarily, we describe attacks on the full-round versions PRESENT-80, PRESENT-128, LED-64, LED-128, KLEIN-80, and KLEIN-96. Our attacks have time complexities of $2^{79.49}$, $2^{127.32}$, $2^{63.58}$, $2^{127.42}$, $2^{79.00}$, and $2^{95.18}$ encryptions, respectively. In addition, we consider attacks on round-reduced versions of PRESENT and LED, to show the security margin for which an adversary can obtain an advantage of at least a factor of two compared to exhaustive search